Handle invalid hex values in query strings in DRF extension

AetherUnbound · AetherUnbound · commit ea188973663f · 2024-07-26T15:44:47.000-07:00
diff --git a/AUTHORS b/AUTHORS
@@ -83,6 +83,7 @@ Kristian Rune Larsen
 Lazaros Toumanidis
 Ludwig Hähne
 Łukasz Skarżyński
+Madison Swain-Bowden
 Marcus Sonestedt
 Matias Seniquiel
 Michael Howitz
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -22,6 +22,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 * #1425 Remove deprecated `RedirectURIValidator`, `WildcardSet` per #1345; `validate_logout_request` per #1274
 
 ### Fixed
+* #1443 Query strings with invalid hex values now raise a SuspiciousOperation exception (in DRF extension)
 ### Security
 
 ## [2.4.0] - 2024-05-13
diff --git a/oauth2_provider/contrib/rest_framework/authentication.py b/oauth2_provider/contrib/rest_framework/authentication.py
@@ -1,5 +1,6 @@
 from collections import OrderedDict
 
+from django.core.exceptions import SuspiciousOperation
 from rest_framework.authentication import BaseAuthentication
 
 from ...oauth2_backends import get_oauthlib_core
@@ -23,10 +24,18 @@ def authenticate(self, request):
 Returns two-tuple of (user, token) if authentication succeeds,
 or None otherwise.
 """
+ if request is None:
+ return None
 oauthlib_core = get_oauthlib_core()
- valid, r = oauthlib_core.verify_request(request, scopes=[])
- if valid:
- return r.user, r.access_token
+ try:
+ valid, r = oauthlib_core.verify_request(request, scopes=[])
+ except ValueError as error:
+ if str(error) == "Invalid hex encoding in query string.":
+ raise SuspiciousOperation(error)
+ raise
+ else:
+ if valid:
+ return r.user, r.access_token
 request.oauth2_error = getattr(r, "oauth2_error",{})
 return None
 
diff --git a/tests/test_rest_framework.py b/tests/test_rest_framework.py
@@ -415,3 +415,9 @@ def test_authentication_none(self):
 auth = self._create_authorization_header(self.access_token.token)
 response = self.client.get("/oauth2-authentication-none/", HTTP_AUTHORIZATION=auth)
 self.assertEqual(response.status_code, 401)
+
+ def test_invalid_hex_string_in_query(self):
+ auth = self._create_authorization_header(self.access_token.token)
+ response = self.client.get("/oauth2-test/?q=73%%20of%20Arkansans", HTTP_AUTHORIZATION=auth)
+ # Should respond with a 400 rather than raise a ValueError
+ self.assertEqual(response.status_code, 400)

-Original file line number
+Diff line change
 *#1425 Remove deprecated `RedirectURIValidator`, `WildcardSet` per #1345; `validate_logout_request` per #1274
 ### Fixed
 +*#1443 Query strings with invalid hex values now raise a SuspiciousOperation exception (in DRF extension)
 ### Security
 ## [2.4.0] - 2024-05-13
-Original file line number
+Diff line change
@@ @@ -1,5 +1,6 @@ @@
 fromcollectionsimportOrderedDict
 +fromdjango.core.exceptionsimportSuspiciousOperation
 fromrest_framework.authenticationimportBaseAuthentication
 from ...oauth2_backendsimportget_oauthlib_core
  Returns two-tuple of (user, token) if authentication succeeds,
  or None otherwise.
  """
 +ifrequestisNone:
 +returnNone
 oauthlib_core=get_oauthlib_core()
 -valid, r=oauthlib_core.verify_request(request, scopes=[])
 -ifvalid:
 -returnr.user, r.access_token
 +try:
 +valid, r=oauthlib_core.verify_request(request, scopes=[])
 +exceptValueErroraserror:
 +ifstr(error) =="Invalid hex encoding in query string.":
 +raiseSuspiciousOperation(error)
 +raise
 +else:
 +ifvalid:
 +returnr.user, r.access_token
 request.oauth2_error=getattr(r, "oauth2_error",{})
 returnNone